Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • antiz/infrastructure
  • okabe/infrastructure
  • eworm/infrastructure
  • polyzen/infrastructure
  • pitastrudl/infrastructure
  • sjon/infrastructure
  • torxed/infrastructure
  • jinmiaoluo/infrastructure
  • moson/infrastructure
  • serebit/infrastructure
  • ivabus/infrastructure
  • lb-wilson/infrastructure
  • gromit/infrastructure
  • matt-1-2-3/infrastructure
  • jocke-l/infrastructure
  • alucryd/infrastructure
  • maximbaz/infrastructure
  • ainola/infrastructure
  • segaja/infrastructure
  • nl6720/infrastructure
  • peanutduck/infrastructure
  • aminvakil/infrastructure
  • xenrox/infrastructure
  • felixonmars/infrastructure
  • denisse/infrastructure
  • artafinde/infrastructure
  • jleclanche/infrastructure
  • kpcyrd/infrastructure
  • metalmatze/infrastructure
  • kevr/infrastructure
  • dvzrv/infrastructure
  • dhoppe/infrastructure
  • ekkelett/infrastructure
  • seblu/infrastructure
  • lahwaacz/infrastructure
  • klausenbusk/infrastructure
  • alerque/infrastructure
  • hashworks/infrastructure
  • foxboron/infrastructure
  • shibumi/infrastructure
  • lambdaclan/infrastructure
  • ffy00/infrastructure
  • freswa/infrastructure
  • archlinux/infrastructure
44 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 225 additions and 236 deletions
roles/certbot/tasks/main.yml
View file @ ffa2674d
- name: install certbot
- name: Install certbot
pacman: name=certbot{{ ",certbot-dns-rfc2136" if certbot_dns_support }} state=present
- name: install rfc2136.ini
- name: Install rfc2136.ini
template: src=rfc2136.ini.j2 dest=/etc/letsencrypt/rfc2136.ini owner=root group=root mode=0600
when: certbot_dns_support
- name: install letsencrypt hook
- name: Install letsencrypt hook
copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755
- name: create letsencrypt hook dir
- name: Create letsencrypt hook dir
file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755
- name: install letsencrypt renewal service
- name: Install letsencrypt renewal service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- certbot-renewal.service
- certbot-renewal.timer
- name: activate letsencrypt renewal service
- name: Activate letsencrypt renewal service
systemd:
name: certbot-renewal.timer
enabled: true
state: started
daemon_reload: true
- name: open firewall holes for certbot standalone authenticator
- name: Open firewall holes for certbot standalone authenticator
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- http
......
roles/certificate/tasks/main.yml
View file @ ffa2674d
- name: create ssl cert (HTTP-01)
- name: Create ssl cert (HTTP-01)
shell: |
set -o pipefail
# We can't start nginx without the certificate and we can't issue a certificate without nginx running.
......@@ -10,7 +10,7 @@
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
when: challenge | default(certificate_challenge) == "HTTP-01"
- name: create ssl cert (DNS-01)
- name: Create ssl cert (DNS-01)
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
......
roles/common/defaults/main.yml
View file @ ffa2674d
configure_network: false
enable_zram_swap: false
zram_fraction: 1.0
roles/common/handlers/main.yml
View file @ ffa2674d
- name: restart journald
- name: Restart journald
systemd:
name: systemd-journald
state: restarted
daemon_reload: true
- name: systemd daemon-reload
- name: Systemd daemon-reload
systemd:
daemon_reload: true
- name: restart systemd-zram-setup@zram0
- name: Restart systemd-zram-setup@zram0
service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes
roles/common/tasks/main.yml
View file @ ffa2674d
- name: install essential tools
- name: Install essential tools
pacman: name=vim,nano,tmux,htop,ncdu,bash-completion,rsync,vnstat state=present
- name: start and enable vnstatd
- name: Start and enable vnstatd
service: name=vnstat enabled=yes state=started
- name: install inetutils for hostname
- name: Install inetutils for hostname
pacman: name=inetutils state=present
- name: set hostname
- name: Set hostname
hostname: name="{{ inventory_hostname }}"
- name: install pacman config
- name: Install pacman config
template: src=pacman.conf.j2 dest=/etc/pacman.conf mode=0644 owner=root group=root
- name: configure pacman mirror
- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: update package cache
- name: Update package cache
pacman: update_cache=yes
- name: start and enable auditd
- name: Start and enable auditd
service: name=auditd enabled=yes state=started
- name: start and enable systemd-timesyncd
- name: Start and enable systemd-timesyncd
service: name=systemd-timesyncd enabled=yes state=started
- name: install smart
- name: Install smart
pacman: name=smartmontools state=present
when: "'hcloud' not in group_names"
- name: configure smartd to do periodic health checks
- name: Configure smartd to do periodic health checks
copy: src=smartd.conf dest=/etc/smartd.conf owner=root group=root mode=0644
when: "'hcloud' not in group_names"
- name: start and enable smart
- name: Start and enable smart
service: name=smartd enabled=yes state=started
when: "'hcloud' not in group_names"
- name: start and enable btrfs scrub timer
- name: Start and enable btrfs scrub timer
service: name=btrfs-scrub@{{ '-' if (item.mount | length == 1) else (item.mount.split("/", 1)[1] | replace("/", "-")) }}.timer enabled=yes state=started
loop: "{{ ansible_mounts | sort(attribute='mount') | groupby('uuid') | map(attribute=1) | map('first') }}"
when:
- item.fstype == 'btrfs'
- not 'backup' in item.mount
- name: generate locales
- name: Generate locales
locale_gen: name={{ item }} state=present
with_items:
- en_US.UTF-8
- name: configure locales
- name: Configure locales
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
- name: generate ssh key for root
- name: Generate ssh key for root
command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa"
- name: configure networking
- name: Configure networking
include_role:
name: networking
when: configure_network
- name: configure tcp receive window limits
- name: Configure tcp receive window limits
sysctl:
name: net.ipv4.tcp_rmem
value: "{{ tcp_rmem }}"
......@@ -68,7 +68,7 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_rmem is defined
- name: configure tcp send window limits
- name: Configure tcp send window limits
sysctl:
name: net.ipv4.tcp_wmem
value: "{{ tcp_wmem }}"
......@@ -76,81 +76,81 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_wmem is defined
- name: create drop-in directories for systemd configuration
- name: Create drop-in directories for systemd configuration
file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
loop:
- system.conf
- journald.conf
- name: install journald.conf overrides
- name: Install journald.conf overrides
template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644
notify:
- restart journald
- Restart journald
- name: install system.conf overrides
- name: Install system.conf overrides
template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644
notify:
- systemd daemon-reload
- Systemd daemon-reload
- name: install zram-generator
- name: Install zram-generator
pacman: name=zram-generator state=present
when: enable_zram_swap
- name: install zram-generator config for zram
- name: Install zram-generator config for zram
template: src=zram-generator.conf dest=/etc/systemd/zram-generator.conf owner=root group=root mode=0644
notify:
- restart systemd-zram-setup@zram0
- Restart systemd-zram-setup@zram0
when: enable_zram_swap
- name: disable zswap to prevent conflict with zram
- name: Disable zswap to prevent conflict with zram
copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644
register: zramtmpfiles
when: enable_zram_swap
- name: use tmpfiles.d/zram.conf
- name: Use tmpfiles.d/zram.conf
command: systemd-tmpfiles --create
when: zramtmpfiles.changed
- name: create drop-in directories for oomd
- name: Create drop-in directories for oomd
file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755
with_items:
- "-.slice"
- user@.service
- name: install drop-in snippets for oomd
- name: Install drop-in snippets for oomd
copy: src=oomd-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644
with_items:
- "-.slice"
- user@.service
notify:
- systemd daemon-reload
- Systemd daemon-reload
- name: start systemd-oomd
- name: Start systemd-oomd
service: name=systemd-oomd state=started enabled=yes
- name: install logrotate
- name: Install logrotate
pacman: name=logrotate state=present
- name: configure logrotate
- name: Configure logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.conf owner=root group=root mode=0644
- name: enable logrotate timer
- name: Enable logrotate timer
service: name=logrotate.timer state=started enabled=yes
- name: create zsh directory
- name: Create zsh directory
file: path=/root/.zsh state=directory owner=root group=root mode=0700
- name: install root shell config
- name: Install root shell config
copy: src={{ item }} dest=/root/.{{ item }} owner=root group=root mode=0644
with_items:
- zshrc
- dircolors
- name: install pacman-contrib,archlinux-contrib
- name: Install pacman-contrib,archlinux-contrib
pacman: name=pacman-contrib,archlinux-contrib state=installed
- name: install custom paccache.service
- name: Install custom paccache.service
copy: src=paccache.service dest=/etc/systemd/system/paccache.service owner=root group=root mode=0644
- name: enable paccache timer
- name: Enable paccache timer
systemd: name=paccache.timer enabled=yes state=started daemon_reload=yes
roles/common/templates/zram-generator.conf
View file @ ffa2674d
[zram0]
max-zram-size = none
{% if zram_fraction is defined %}
zram-fraction = {{ zram_fraction }}
{% endif %}
roles/dbscripts/tasks/main.yml
View file @ ffa2674d
- name: install svn, git, rsync and some perl stuff
- name: Install svn, git, rsync and some perl stuff
pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
- name: install sourceballs requirements (makepkg download dependencies)
- name: Install sourceballs requirements (makepkg download dependencies)
pacman: name=git,subversion,mercurial,breezy state=present
- name: install binutils for createlinks script
- name: Install binutils for createlinks script
pacman: name=binutils state=present
- name: create dbscripts users
- name: Create dbscripts users
user: name="{{ item }}" shell=/bin/bash
with_items:
- svn-packages
- svn-community
- name: add cleanup user
- name: Add cleanup user
user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
- name: add sourceballs user
- name: Add sourceballs user
user: name=sourceballs shell=/sbin/nologin
- name: set up sudoers.d for special users
- name: Set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
notify:
- reload nginx
- Reload nginx
tags:
- nginx
- name: create Arch Linux-specific users
- name: Create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
......@@ -47,25 +47,25 @@
state: present
with_dict: "{{ arch_users }}"
- name: create .ssh directory
- name: Create .ssh directory
file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
- name: configure ssh keys for devs
- name: Configure ssh keys for devs
template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
vars:
pubkey_groups: ['dev']
tags: ['archusers']
- name: create .ssh directory
- name: Create .ssh directory
file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
- name: configure ssh keys for TUs
- name: Configure ssh keys for TUs
template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
vars:
pubkey_groups: ['tu']
tags: ['archusers']
- name: create staging directories in user homes
- name: Create staging directories in user homes
dbscripts_mkdirs:
pathtmpl: '/home/{user}/staging/{dirname}'
permissions: '755'
......@@ -74,88 +74,88 @@
group: users
tags: ["archusers"]
- name: create dbscripts paths
- name: Create dbscripts paths
file: path="{{ item }}" state=directory owner=root group=root mode=0755
with_items:
- /srv/repos/svn-community
- /srv/repos/svn-packages
- name: create svn-community/package-cleanup directory
- name: Create svn-community/package-cleanup directory
file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
- name: create svn-packages/package-cleanup directory
- name: Create svn-packages/package-cleanup directory
file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
- name: create svn-community/source-cleanup directory
- name: Create svn-community/source-cleanup directory
file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- name: create svn-packages/source-cleanup directory
- name: Create svn-packages/source-cleanup directory
file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
- name: create svn-community/svn directory
- name: Create svn-community/svn directory
file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-community/svn
- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-community/svn
- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/svn
- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
- name: create svn-packages/svn directory
- name: Create svn-packages/svn directory
file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
- name: create svn-community/tmp directory
- name: Create svn-community/tmp directory
file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
- name: create svn-packages/tmp directory
- name: Create svn-packages/tmp directory
file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
- name: touch /srv/ftp/lastsync file
- name: Touch /srv/ftp/lastsync file
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
- name: touch /srv/ftp/lastupdate file
- name: Touch /srv/ftp/lastupdate file
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- name: add acl group:tu:rw- to /srv/ftp/lastupdate
- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- name: add acl group:dev:rw- to /srv/ftp/lastupdate
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
- name: fetch dbscripts PGP key
- name: Fetch dbscripts PGP key
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ dbscripts_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
- name: clone dbscripts git repo
- name: Clone dbscripts git repo
git: >
dest=/srv/repos/{{ item }}/dbscripts
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
......@@ -165,107 +165,101 @@
- svn-community
- svn-packages
- name: make /srv/svn
- name: Make /srv/svn
file: path=/srv/svn state=directory owner=root group=root mode=0755
- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
- name: symlink /community to /srv/repos/svn-community/dbscripts
- name: Symlink /community to /srv/repos/svn-community/dbscripts
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
- name: symlink /packages to /srv/repos/svn-packages/dbscripts
- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
- name: make debug packages-debug pool
- name: Make debug packages-debug pool
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
- name: make debug community-debug pool
- name: Make debug community-debug pool
file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
- name: make package root debug repos
- name: Make package root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
with_items: '{{ package_repos }}'
- name: make community root debug repos
- name: Make community root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
with_items: '{{ community_repos }}'
- name: make package debug repos
- name: Make package debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
with_items: '{{ package_repos }}'
- name: make community debug repos
- name: Make community debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
with_items: '{{ community_repos }}'
- name: put rsyncd.conf into tmpfiles
- name: Put rsyncd.conf into tmpfiles
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
register: rsyncdtmpfiles
- name: use tmpfiles.d/rsyncd.conf
- name: Use tmpfiles.d/rsyncd.conf
command: systemd-tmpfiles --create
when: rsyncdtmpfiles.changed
- name: create rsyncd-conf-genscripts
- name: Create rsyncd-conf-genscripts
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
- name: install rsync.conf.proto
- name: Install rsync.conf.proto
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
- name: configure gen_rsyncd.conf.pl
- name: Configure gen_rsyncd.conf.pl
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
no_log: true
- name: generate mirror config
- name: Generate mirror config
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register: gen_rsyncd
changed_when: "gen_rsyncd.rc == 0"
- name: install svnlog
- name: Install svnlog
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
- name: add arch-svntogit user
- name: Add arch-svntogit user
user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
- name: configure svntogit git user name
- name: Configure svntogit git user name # noqa command-instead-of-module
command: git config --global user.name svntogit
become: true
become_user: svntogit
register: git_config_username
changed_when: "git_config_username.rc == 0"
tags:
- skip_ansible_lint
- name: configure svntogit git user email
- name: Configure svntogit git user email # noqa command-instead-of-module
command: git config --global user.email svntogit@repos.archlinux.org
become: true
become_user: svntogit
register: git_config_email
changed_when: "git_config_email.rc == 0"
tags:
- skip_ansible_lint
- name: template arch-svntogit
- name: Template arch-svntogit
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
- name: create svntogit repos subdir
- name: Create svntogit repos subdir
file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
- name: clone git-svn repos
- name: Clone git-svn repos # noqa command-instead-of-module
command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
with_items:
- community
- packages
become: true
become_user: svntogit
tags:
- skip_ansible_lint
- name: add svntogit public remotes
- name: Add svntogit public remotes # noqa command-instead-of-module
command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
with_items:
- community
......@@ -275,11 +269,9 @@
ignore_errors: true
register: git_public_remote
changed_when: "git_public_remote.rc == 0"
tags:
- skip_ansible_lint
# The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
- name: Configure svntogit pull upstream branch # noqa command-instead-of-module
command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
environment:
SHELL: /bin/bash
......@@ -290,43 +282,41 @@
become_user: svntogit
register: git_pull_upstream
changed_when: "git_pull_upstream.rc == 0"
tags:
- skip_ansible_lint
- name: fix svntogit home permissions
- name: Fix svntogit home permissions
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
- name: install repo helpers
- name: Install repo helpers
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- lsrepo
- checklib32
- name: install createlinks script
- name: Install createlinks script
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
- name: start and enable rsync
- name: Start and enable rsync
service: name=rsyncd.socket enabled=yes state=started
- name: open firewall holes for rsync
- name: Open firewall holes for rsync
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
- name: configure svnserve
- name: Configure svnserve
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
- name: start and enable svnserve
- name: Start and enable svnserve
service: name=svnserve enabled=yes state=started
- name: open firewall holes for svnserve
- name: Open firewall holes for svnserve
ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
- name: install systemd timers
- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- cleanup.timer
......@@ -342,9 +332,9 @@
- createlinks.timer
- createlinks.service
notify:
- daemon reload
- Daemon reload
- name: activate systemd timers
- name: Activate systemd timers
service: name={{ item }} enabled=yes state=started
with_items:
- cleanup.timer
......
roles/debuginfod/handlers/main.yml
View file @ ffa2674d
- name: reload debuginfod
- name: Reload debuginfod
service: name=debuginfod state=reloaded
roles/debuginfod/tasks/main.yml
View file @ ffa2674d
- name: install debuginfod
- name: Install debuginfod
pacman: name=debuginfod state=present
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ debuginfod_domain }}"]
when: debuginfod_domain
- name: configure debuginfod systemd service
- name: Configure debuginfod systemd service
template: src=debuginfod.service.j2 dest=/etc/systemd/system/debuginfod.service owner=root group=root mode=0644
vars:
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
notify:
- reload debuginfod
- Reload debuginfod
- name: create http directory for debuginfod website files
- name: Create http directory for debuginfod website files
file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
- name: install website files
- name: Install website files
copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
loop:
- archlinux.png
- index.html
- name: install packagelist units
- name: Install packagelist units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- packagelist.timer
- packagelist.service
- name: start and enable packagelist.timer
- name: Start and enable packagelist.timer
service: name=packagelist.timer enabled=yes state=started
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
notify:
- reload nginx
- Reload nginx
when: debuginfod_domain
tags: ['nginx']
- name: open debuginfod ipv4 port for monitoring.archlinux.org
- name: Open debuginfod ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
tags:
- firewall
- name: start and enable debuginfod
- name: Start and enable debuginfod
service: name=debuginfod enabled=yes state=started
roles/dovecot/handlers/main.yml
View file @ ffa2674d
- name: reload dovecot
- name: Reload dovecot
service: name=dovecot state=restarted
- name: run sievec
- name: Run sievec
command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
loop:
- spam-to-folder.sieve
roles/dovecot/tasks/main.yml
View file @ ffa2674d
- name: install dovecot
- name: Install dovecot
pacman: name=dovecot,pigeonhole state=present
# FIXME: check directory permissions
- name: create dovecot configuration directory
- name: Create dovecot configuration directory
file: path=/etc/dovecot state=directory owner=root group=root mode=0755
- name: create dhparam
- name: Create dhparam
command: openssl dhparam -out /etc/dovecot/dh.pem 4096 creates=/etc/dovecot/dh.pem
- name: install dovecot.conf
- name: Install dovecot.conf
template: src=dovecot.conf.j2 dest=/etc/dovecot/dovecot.conf owner=root group=root mode=0644
notify:
- reload dovecot
- Reload dovecot
- name: add vmail group
- name: Add vmail group
group: name=vmail gid=5000
- name: add vmail user
- name: Add vmail user
user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
- name: install PAM config
- name: Install PAM config
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
- name: create dovecot sieve dir
- name: Create dovecot sieve dir
file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
- name: install spam-to-folder.sieve
- name: Install spam-to-folder.sieve
copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
notify:
- run sievec
- Run sievec
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ mail_domain }}"]
- name: install dovecot cert renewal hook
- name: Install dovecot cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755
- name: start and enable dovecot
- name: Start and enable dovecot
service: name=dovecot enabled=yes state=started
- name: open firewall holes
- name: Open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- imaps
......@@ -51,13 +51,13 @@
tags:
- firewall
- name: install systemd timers
- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- dovecot-cleanup.timer
- dovecot-cleanup.service
- name: activate systemd timers
- name: Activate systemd timers
systemd:
name: "{{ item }}"
state: started
......
roles/fail2ban/handlers/main.yml
View file @ ffa2674d
- name: restart fail2ban
- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
- name: reload fail2ban jails
- name: Reload fail2ban jails
shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
roles/fail2ban/tasks/main.yml
View file @ ffa2674d
- name: install fail2ban
- name: Install fail2ban
package:
name: "fail2ban"
state: "present"
notify:
- restart fail2ban
- Restart fail2ban
- name: create systemd unit override path
- name: Create systemd unit override path
file:
path: "/etc/systemd/system/fail2ban.service.d"
state: "directory"
......@@ -13,7 +13,7 @@
group: "root"
mode: 0755
- name: install systemd unit override file
- name: Install systemd unit override file
template:
src: "fail2ban.service.j2"
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
......@@ -21,7 +21,7 @@
group: "root"
mode: 0644
- name: install local config files
- name: Install local config files
template:
src: "{{ item }}.j2"
dest: "/etc/fail2ban/{{ item }}"
......@@ -32,9 +32,9 @@
- "fail2ban.local"
- "jail.local"
notify:
- restart fail2ban
- Restart fail2ban
- name: install firewallcmd-allports.local
- name: Install firewallcmd-allports.local
template:
src: "firewallcmd-allports.local.j2"
dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
......@@ -42,9 +42,9 @@
group: "root"
mode: 0644
notify:
- restart fail2ban
- Restart fail2ban
- name: install sshd jail
- name: Install sshd jail
when: fail2ban_jails.sshd
template:
src: "sshd.jail.j2"
......@@ -53,9 +53,9 @@
group: "root"
mode: 0644
notify:
- reload fail2ban jails
- Reload fail2ban jails
- name: install postfix jail
- name: Install postfix jail
when: fail2ban_jails.postfix
template:
src: "postfix.jail.j2"
......@@ -64,9 +64,9 @@
group: "root"
mode: 0644
notify:
- reload fail2ban jails
- Reload fail2ban jails
- name: install dovecot jail
- name: Install dovecot jail
when: fail2ban_jails.dovecot
template:
src: "dovecot.jail.j2"
......@@ -75,9 +75,9 @@
group: "root"
mode: 0644
notify:
- reload fail2ban jails
- Reload fail2ban jails
- name: install nginx-limit-req jail
- name: Install nginx-limit-req jail
when: fail2ban_jails.nginx_limit_req
template:
src: "nginx-limit-req.jail.j2"
......@@ -86,9 +86,9 @@
group: "root"
mode: 0644
notify:
- reload fail2ban jails
- Reload fail2ban jails
- name: start and enable service
- name: Start and enable service
systemd:
name: "fail2ban.service"
enabled: true
......
roles/fetchmail/handlers/main.yml
View file @ ffa2674d
- name: restart fetchmail
- name: Restart fetchmail
service: name=fetchmail state=restarted
roles/fetchmail/tasks/main.yml
View file @ ffa2674d
- name: install fetchmail
- name: Install fetchmail
pacman: name=fetchmail state=present
- name: template fetchmail config
- name: Template fetchmail config
template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600
notify:
- restart fetchmail
- Restart fetchmail
- name: start and enable fetchmail
- name: Start and enable fetchmail
service: name=fetchmail enabled=yes state=started
roles/firewalld/handlers/main.yml
View file @ ffa2674d
# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
# https://github.com/systemd/systemd/issues/2830
# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
# - name: restart firewalld
# - name: Restart firewalld
# service: name=firewalld state=restarted
- name: stop firewalld
- name: Stop firewalld
service: name=firewalld state=stopped
listen: restart firewalld
- name: start firewalld
- name: Start firewalld
service: name=firewalld state=started
listen: restart firewalld
roles/firewalld/tasks/main.yml
View file @ ffa2674d
- name: install firewalld
- name: Install firewalld
pacman:
name: firewalld
state: present
- name: install firewalld config
- name: Install firewalld config
template: src=firewalld.conf.j2 dest=/etc/firewalld/firewalld.conf owner=root group=root mode=0644
notify:
- restart firewalld
- Restart firewalld
- name: start and enable firewalld
- name: Start and enable firewalld
service:
name: firewalld
enabled: "{{ configure_firewall }}"
state: "{{ configure_firewall | ternary('started', 'stopped') }}"
- name: disable default dhcpv6-client rule
- name: Disable default dhcpv6-client rule
ansible.posix.firewalld:
service: dhcpv6-client
state: disabled
......
roles/fluxbb/handlers/main.yml
View file @ ffa2674d
- name: restart php-fpm@fluxbb
- name: Restart php-fpm@fluxbb
systemd: name=php-fpm@fluxbb.service state=restarted
roles/fluxbb/tasks/main.yml
View file @ ffa2674d
- name: create user
- name: Create user
user: >
name=fluxbb home="{{ fluxbb_dir }}"
shell=/bin/false system=yes createhome=no
- name: clone fluxbb
- name: Clone fluxbb
git:
repo: https://gitlab.archlinux.org/archlinux/archbbs.git
dest: "{{ fluxbb_dir }}"
version: "{{ fluxbb_version }}"
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}"
changed_when: false
- name: create uploads directory
- name: Create uploads directory
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
- name: create mariadb database
- name: Create mariadb database
mysql_db: name=fluxbb state=present
- name: create mariadb user
- name: Create mariadb user
mysql_user: >
user=fluxbb host=localhost password={{ fluxbb_db_password }}
priv='fluxbb.*:ALL'
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ fluxbb_domain }}"]
- name: create nginx log directory
- name: Create nginx log directory
file: path=/var/log/nginx/{{ fluxbb_domain }} state=directory owner=root group=root mode=0755
- name: configure nginx
- name: Configure nginx
template: >
src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf
owner=root group=root mode=0644
notify: reload nginx
notify: Reload nginx
- name: install python-passlib
- name: Install python-passlib
pacman: name=python-passlib
- name: create auth file
- name: Create auth file
htpasswd: >
path=/etc/nginx/auth/fluxx
name={{ fluxbb_htpasswd.username }}
password={{ fluxbb_htpasswd.password }}
owner=root group=http mode=0640
- name: install forum config
- name: Install forum config
template: >
src=config.php.j2 dest={{ fluxbb_dir }}/config.php
owner=fluxbb group=fluxbb mode=400
- name: install php-apcu
- name: Install php-apcu
pacman: name=php-apcu,php-intl
- name: configure php-fpm
- name: Configure php-fpm
template: >
src=php-fpm.conf.j2 dest=/etc/php/php-fpm.d/fluxbb.conf
owner=root group=root mode=0644
notify: restart php-fpm@fluxbb
notify: Restart php-fpm@fluxbb
- name: start and enable systemd socket
- name: Start and enable systemd socket
service: name=php-fpm@fluxbb.socket state=started enabled=true
roles/flyspray/handlers/main.yml
View file @ ffa2674d
- name: restart php-fpm7@flyspray
- name: Restart php-fpm7@flyspray
service: name=php-fpm7@flyspray state=restarted